Before you can start any assessment, you should discuss and define the scope with management; the scope of the assessment identifies...
the scope of the assessment identifies the systems, network, policies and procedures, human resources, and any other component of the system that requires security evaluation. You should also agree with management on rules of engagement (RoE)—the "do's and don'ts" of assessment
Passive Footprinting
Involves gathering information without direct interaction. This type of footprinting is principally useful when there is a requirement that the information-gathering activities are not to be detected by the target.
Active Footprinting
Involves gathering information with direct interaction. In active footprinting, the target may recognize the ongoing information gathering process, as we overtly interact with the target network.
Google search operators - intitle:<term>
term is contained within the title
Google search operator - site:<url>
restricts results to pages from url
Google search operator - filetype:<file extension>
only reveals files of the type selected
Google operator - cache:
This operator allows you to view cached version of the web page. [cache:www.google.com]- Query returns the cached version of the website www.google.com
Google operator - allinurl:
This operator restricts results to pages containing all the query terms specified in the URL. [allinurl: google career]—Query returns only pages containing the words "google" and "career" in the URL
Google operator - inurl:
This operator restricts the results to pages containing the word specified in the URL [inurl: copy site:www.google.com]—Query returns only pages in Google site in which the URL has the word "copy
Google operator - allintitle:
This operator restricts results to pages containing all the query terms specified in the title. [allintitle: detect malware]—Query returns only pages containing the words "detect" and "malware" in the title
Google operator - inanchor:
This operator restricts results to pages containing the query terms specified in the anchor text on links to the page. [Anti-virus inanchor:Norton]—Query returns only pages with anchor text on links to the pages containing the word "Norton" and the page containing the word "Anti-virus
Google operator - allinanchor:
This operator restricts results to pages containing all query terms specified in the anchor text on links to the page. [allinanchor: best cloud service provider]—Query returns only pages in which the anchor text on links to the pages contain the words "best," "cloud," "service," and "provider
Google operator - link:
This operator searches websites or pages that contain links to the specified website or page. [link:www.googleguide.com]—Finds pages that point to Google Guide's home page
Google operator - related:
This operator displays websites that are similar or related to the URL specified. [related:www.certifiedhacker.com]—Query provides the Google search engine results page with websites similar to certifiedhacker.com
Google operator - info:
This operator finds information for the specified web page. [info:gothotel.com]—Query provides information about the national hotel directory GotHotel.com home page
Google operator - location:
This operator finds information for a specific location. [location: 4 seasons restaurant]—Query give you results based around the term 4 seasons restaurant
theHarvester -d microsoft.com -l 200 -b baidu
theHarvester starts extracting the details and displays them on the screen. You can see the email IDs related to the target company and target company hosts obtained from the Baidu source, as shown in the screenshot.Here, we specify Baidu search engine as a data source. You can specify different data sources (e.g., Baidu, bing, bingapi, dogpile, Google, GoogleCSE, Googleplus, Google-profiles, linkedin, pgp, twitter, vhost, virustotal, threatcrowd, crtsh, netcraft, yahoo, all) to gather information about the target.
Parrot Security
Linux Debian Security OS included theHarvester
Tor Browser, ExoneraTor, OnionLand Search Engine
Search engines used in recon for searching the dark web.
Censys, Netcraft, Shodan
Recon: can be used to gather OS information about the target organization
theHarvester -d eccouncil -l 200 -b linkedin
Use theHarvester from Parrot Security (Debian) to search linkedin for eccouncil users.
Sherlock (Terminal: python3 sherlock.py satya nadella)
Sherlock is a python-based tool that is used to gather information about a target person over various social networking sites. Sherlock searches a vast number of social networking sites for a given target user, locates the person, and displays the results along with the complete URL related to the target person.
Followerwonk (hootsuite/sysomos)
Followerwonk is an online tool that helps you explore and grow your social graph, digging deeper into Twitter analytics; for example, Who are your followers? Where are they located? When do they tweet? This can be used to gather Twitter information about any target organization or individual.
Find maximum frame size (ping <domain> -f -l ####
ping www.certifiedhacker.com -f -l 1473 replies with Packet needs to be fragmented but DF set, and ping www.certifiedhacker.com -f -l 1472 replies with a successful ping. It indicates that 1472 bytes are the maximum frame size on this machine's network.
On successfully finding the TTL value it will imply that the reply is received from the destination host (162.241.216.11). ping www.certifiedhacker.com -i 3 -n 1
192.168.100.6: TTL expired in transit means that the router (192.168.100.6, you will have some other IP address) discarded the frame because its TTL has expired (reached 0).
CentralOps.net
CentralOps (centralops.net) is a free online network scanner that investigates domains and IP addresses, DNS records, traceroute, nslookup, whois searches, etc.You can also use tools such as Website Informer (https://website.informer.com), Burp Suite (https://portswigger.net), Zaproxy (https://www.owasp.org), etc. to perform website footprinting on a target website.
Web Data Extractor
a tool that automatically extracts specific information from web pages. You can also use other web spiders such as ParseHub (https://www.parsehub.com), SpiderFoot (https://www.spiderfoot.net), etc. to extract the target organization's data.
HTTrack Web Copier
Scanning. Allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. Arranges the original site's relative link-structure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online. Can also update an existing mirrored site, and resume interrupted downloads. You can also use other mirroring tools such as NCollector Studio (http://www.calluna-software.com), Cyotek WebCopy (https://www.cyotek.com), etc. to mirror a target website.
CeWL
__ is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.▪ Tool to create a custom wordlist or dictionary▪ Searches a target website for words meeting criteria set as inputscewl -d 2 -m 5 www.certifiedhacker.comcewl -w wordlist.txt -d 2 -m 5 www.certifiedhacker.com
eMailTrackerPro
analyzes email headers and reveals information such as sender's geographical location, IP address, etc. You can also use email tracking tools such as Infoga (https://github.com), Mailtrack (https://mailtrack.io), etc. to track an email and extract target information such as sender identity, mail server, sender's IP address, location, etc.
whois.domaintools.com
Whois tools. You can also use other Whois lookup tools such as SmartWhois (https://www.tamos.com), Batch IP Converter (http://www.sabsoft.com), etc. to extract additional target Whois information. Whois is a query and response protocol used for querying databases that store the registered users or assignees of an Internet resource such as a domain name, an IP address block, or an autonomous system. This protocol listens to requests on port 43 (TCP). Regional Internet Registries (RIRs) maintain Whois databases, and contains the personal information of domain owners. For each resource, the Whois database provides text records with information about the resource itself and relevant information of assignees, registrants, and administrative information (creation and expiration dates).
CMD: nslookup OR http://www.kloth.net/services/nslookup.php
if an attacker can determine the authoritative name server (primary name server) and obtain its associated IP address, he/she might attempt to exploit the server to perform attacks such as DoS, DDoS, URL Redirection, etc.You can also use DNS lookup tools such as Professional Toolset (https://tools.dnsstuff.com), DNS Records (https://network-tools.com), etc. to extract additional target DNS information.
DNSRecon
Linux terminal tool to find ip address ranges
Network Footprinting
Network footprinting is a process of accumulating data regarding a specific network environment. It enables ethical hackers to draw a network diagram and analyze the target network in more detail to perform advanced attacks.
Network Tracerouting
Network tracerouting is a process of identifying the path and hosts lying between the source and destination. Network tracerouting provides critical information such as the IP address of the hosts lying between the source and destination, which enables you to map the network topology of the organization. Traceroute can be used to extract information about network topology, trusted routers, firewall locations, etc.Windows:tracert www.certifiedhacker.comtracert -h 5 www.certifiedhacker.com (5 hops)Linuxtraceroute www.certifiedhacker.comYou can also use other traceroute tools such as VisualRoute (http://www.visualroute.com), Traceroute NG (https://www.solarwinds.com), etc. to extract additional network information of the target organization.
recon-ng
Recon-ng is a full-featured Web Reconnaissance framework written in Python (CLI - Linux) Recon-ng is a web reconnaissance framework with independent modules and database interaction that provides an environment in which open-source web-based reconnaissance can be conducted.
Maltego
Which tool allows analysts and pen testers to examine links between data using graphs and link analysis?Maltego is a footprinting tool used to gather maximum information for the purpose of ethical hacking, computer forensics, and pentesting. It provides a library of transforms to discover data from open sources and visualizes that information in a graph format, suitable for link analysis and data mining. Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate, and even making it possible to see hidden connections.
BillCipher
An information gathering tool for a website or IP address. Includes mirroring tool. footprinting tools such as Recon-Dog (https://www.github.com), Th3Inspector (https://github.com), Raccoon (https://github.com), Orb (https://github.com), etc. to gather additional information related to the target company.